Discussions related to using object storage as a backup target.
Post Reply
graig.parizek
Novice
Posts: 4
Liked: never
Joined: Mar 05, 2024 3:50 am
Full Name: Graig P.

VBR Helper appliance does not support EBS encryption

Post by graig.parizek »

VBR S3 object repository will not allow a helper VM when EBS encryption is turned on by default. Also after enabling the option and having it fail, there seems to be no option to turn it off?
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by Mildur »

Hello Graig

Are we talking about restoring on-premise workloads as a EC2 machine?
In that case it's a limitation from AWS. We tested this scenario 1.5 years ago.

When we restore a machine (HyperV, vSphere, Veeam Agent) as EC2 VM, the helper appliance will do the following steps:
1.) Creates empty EBS volumes (one per original machine disk)
2.) Hot-adds them to the helper appliance
3.) Restores data to the EBS volume
4.) Creates target EC2 instance
5.) Attaches the EBS volumes to it

The target EC2 instance will be created through an import of the EBS volume snapshot created in step 3. Because mandatory encryption is enabled in your AWS account, the EBS volume in step 1 is encrypted.
But we cannot import encrypted EBS volumes to create an EC2 instance. We saw the following error in our tests:

Code: Select all

"Importing VM Error: Failed to import machine to Amazon EC2: Using an encrypted snapshot as input is not supported"
Feel free to open a support case to verify that you also have faced this limitation with your restore.
Please provide me your support case number, if you decide to open a case.

Best,
Fabian
Product Management Analyst @ Veeam Software
graig.parizek
Novice
Posts: 4
Liked: never
Joined: Mar 05, 2024 3:50 am
Full Name: Graig P.

Re: VBR Helper appliance does not support EBS encryption

Post by graig.parizek »

Sorry, to clarify this is specifically the helper VM for doing health checks against s3 object storage. The helper EC2 instance tries to deploy and fails, which I'm told is because we have EBS default encryption enabled and isn't supported by VBR. Instance also had no options to deploy without a public IP.
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by Mildur »

Hi Graig

All good. We have more than one helper appliances. Thanks for clarifying which helper appliance. :)
The helper EC2 instance tries to deploy and fails, which I'm told is because we have EBS default encryption enabled and isn't supported by VBR.
Just to have the full picture. Did you got this information from a Veeam support case or a forum post?

Best,
Fabian
Product Management Analyst @ Veeam Software
graig.parizek
Novice
Posts: 4
Liked: never
Joined: Mar 05, 2024 3:50 am
Full Name: Graig P.

Re: VBR Helper appliance does not support EBS encryption

Post by graig.parizek »

Veeam support case 03174796, case 07138589 found corruption which prompted the use of the helper appliance.
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by Mildur »

Thank you. Please give me some time to confirm with our QA team if it is a limitation from AWS or us.
Instance also had no options to deploy without a public IP.
I got this request from another customer as well. Your vote is noted as +1.

Best,
Fabian
Product Management Analyst @ Veeam Software
graig.parizek
Novice
Posts: 4
Liked: never
Joined: Mar 05, 2024 3:50 am
Full Name: Graig P.

Re: VBR Helper appliance does not support EBS encryption

Post by graig.parizek »

Another thing that was noted is that after configuring the helper appliance on the S3 Repository, there is not option to remove the configuration and do a health check not using the helper.
will.garbutt
Lurker
Posts: 1
Liked: never
Joined: Mar 18, 2024 12:02 am
Full Name: Will Garbutt
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by will.garbutt »

I'm experiencing a similar issue.
When trying to restore to from an agent backup in Veeam B&R to EC2 and enable the use of a helper appliance I get the error: "Unable to import the instance from an encrypted volume snapshot."
If I choose not to enable the helper appliance, I get no error.
I have a case open: 07170148
I've made reference to this post in the case in hopes it helps troubleshoot the issue better
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by Mildur »

Hi Will

Yes, I explained in my first comment that restoring with EBS encryption enabled is not supported (there are limitations on AWS side).

Best,
Fabian
Product Management Analyst @ Veeam Software
sarapinho
Enthusiast
Posts: 94
Liked: 8 times
Joined: Nov 10, 2015 12:40 pm
Full Name: Amauri Ramos
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by sarapinho »

Hey guys

Did your case have a solution? I have the same problem.
Mildur
Product Manager
Posts: 10984
Liked: 3016 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by Mildur »

Hi Amauri

Please lets continue in your topic.

Graig's case was closed a while ago. From the case notes I can see that the Graig added additional IAM permissions to the AWS account.
I'm waiting for QAs answer if those are required or not. But in my understanding those are required if you use a custom AWS KMS to encrypt your EBS volumes.

Code: Select all

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant"
Will's case was about Restore machines as EC2 VM. Which is currently not supported. We have noted this scenario as a feature request.

Best,
Fabian
Product Management Analyst @ Veeam Software
sarapinho
Enthusiast
Posts: 94
Liked: 8 times
Joined: Nov 10, 2015 12:40 pm
Full Name: Amauri Ramos
Contact:

Re: VBR Helper appliance does not support EBS encryption

Post by sarapinho »

Hi Mildur.

Thanks for the answer, I'll validate it and post it here again.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest